Code Signing Technical How-to

Introduction


This technical guide describes how to start using code signing for signing of executable files, software releases, firmware or other custom formats.

Background

Harmful code is today a real threat to users and organizations alike, as criminal groups and even governments use malicious software to steal and monitor data, extort money or empty your bank account.

To digitally sign executable files such as applications, libraries and drivers is an important part of security whenever software is being distributed over insecure networks (internal or the Internet) or stored on untrusted media. Digitally signed code ensures that the software running on computers and devices is trusted and unmodified.

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The most common use of code signing is to provide security when deploying software, for example installing and updating applications on your computer. The digital signature on the software is used to verify the identity of the author of the software and that the software has not been modified.

SignServer

SignServer Enterprise is a secure code signing solution that allows you to keep code signing keys protected, and also provides a centrally managed and audited single service for all your code signing needs and allows you to keep code signing keys protected.

SignServer enables different project members or systems to authenticate and share the same protected code signing key and certificate when signing, and also provides audit records of who signed what. SignServer can also control individual code signing keys where only one person is granted authorization.

Most code signing needs are fulfilled by SignServer Enterprise, using different signers and custom plug-ins:

  • Authenticode for Portable Executables (PE signing) as of SignServer Enterprise 3.6.3.
  • Java (JAR signing) from 3.7.1 and Windows Installer (MSI signing) as of SignServer Enterprise 4.1.0.
  • Client-side hashing and construction for Authenticode and JAR signing as of SignServer Enterprise 4.2.0.

Documentation

The SignServer Manual is available in the following locations: